From 041a37635bd62b2056f7955fcada51d79dc8bc58 Mon Sep 17 00:00:00 2001
From: Glenn Strauss <gstrauss@gluelogic.com>
Date: Tue, 15 Mar 2022 06:08:29 -0400
Subject: [PATCH] Remove some tls_ver < MBEDTLS_SSL_VERSION_TLS1_2 checks

mbedtls no longer supports earlier TLS protocol versions

Signed-off-by: Glenn Strauss <gstrauss@gluelogic.com>
---
 library/ssl_msg.c          | 4 ----
 library/ssl_tls.c          | 6 ------
 library/ssl_tls12_server.c | 5 +----
 3 files changed, 1 insertion(+), 14 deletions(-)

diff --git a/library/ssl_msg.c b/library/ssl_msg.c
index f1e852e21e..1ee51b2f01 100644
--- a/library/ssl_msg.c
+++ b/library/ssl_msg.c
@@ -4959,10 +4959,6 @@ int mbedtls_ssl_parse_change_cipher_spec( mbedtls_ssl_context *ssl )
 static size_t ssl_transform_get_explicit_iv_len(
                         mbedtls_ssl_transform const *transform )
 {
-    /* XXX: obsolete test? (earlier vers no longer supported?) */
-    if( transform->tls_version < MBEDTLS_SSL_VERSION_TLS1_2 )
-        return( 0 );
-
     return( transform->ivlen - transform->fixed_ivlen );
 }
 
diff --git a/library/ssl_tls.c b/library/ssl_tls.c
index 277904ddd0..8f6f7b2d91 100644
--- a/library/ssl_tls.c
+++ b/library/ssl_tls.c
@@ -7053,9 +7053,6 @@ static int ssl_tls12_populate_transform( mbedtls_ssl_transform *transform,
         mac_enc = keyblk;
         mac_dec = keyblk + mac_key_len;
 
-        /*
-         * This is not used in TLS v1.1.
-         */
         iv_copy_len = ( transform->fixed_ivlen ) ?
                             transform->fixed_ivlen : transform->ivlen;
         memcpy( transform->iv_enc, key2 + keylen,  iv_copy_len );
@@ -7073,9 +7070,6 @@ static int ssl_tls12_populate_transform( mbedtls_ssl_transform *transform,
         mac_enc = keyblk + mac_key_len;
         mac_dec = keyblk;
 
-        /*
-         * This is not used in TLS v1.1.
-         */
         iv_copy_len = ( transform->fixed_ivlen ) ?
                             transform->fixed_ivlen : transform->ivlen;
         memcpy( transform->iv_dec, key1 + keylen,  iv_copy_len );
diff --git a/library/ssl_tls12_server.c b/library/ssl_tls12_server.c
index 49cda3ff90..9e3e7362ca 100644
--- a/library/ssl_tls12_server.c
+++ b/library/ssl_tls12_server.c
@@ -951,7 +951,7 @@ static int ssl_check_key_curve( mbedtls_pk_context *pk,
 static int ssl_pick_cert( mbedtls_ssl_context *ssl,
                           const mbedtls_ssl_ciphersuite_t * ciphersuite_info )
 {
-    mbedtls_ssl_key_cert *cur, *list, *fallback = NULL;
+    mbedtls_ssl_key_cert *cur, *list;
     mbedtls_pk_type_t pk_alg =
         mbedtls_ssl_get_ciphersuite_sig_pk_alg( ciphersuite_info );
     uint32_t flags;
@@ -1015,9 +1015,6 @@ static int ssl_pick_cert( mbedtls_ssl_context *ssl,
         break;
     }
 
-    if( cur == NULL )
-        cur = fallback;
-
     /* Do not update ssl->handshake->key_cert unless there is a match */
     if( cur != NULL )
     {